25 October 2019

Ongoing phishing campaign targets UN humanitarian organizations

Ongoing phishing campaign targets UN humanitarian organizations

Over the past few months, multiple human rights organizations all over the world have been hit by spear-phishing attacks designed to trick aid workers into revealing their credentials. According to Lookout researchers who uncovered the campaign, a list of victims includes more than a dozen organizations with the Red Cross, UNICEF, UN World Food, and UN Development programs to name a few.

The campaign has been active since March 2019, with the two domains [session-services[.]com and service-ssl-check[.]com] used to host the phishing content being associated with IP network block and ASN (Autonomous System Number) that have been known to host malware in the past.

The campaign uses several noteworthy techniques, including the ability to detect mobile devices and to log keystrokes directly as they are entered in the password field.

“Specifically, Javascript code logic on the phishing pages detects if the page is being loaded on a mobile device and delivers mobile-specific content in that case. Mobile web browsers also unintentionally help obfuscate phishing URLs by truncating them, making it harder for the victims to discover the deception,” the researchers explained.

Lookout also found that the hackers embedded the key logging functionality in the password field of the phishing login pages, allowing them to collect the data even if victim doesn’t complete the login activity or inserts unintended password.

The attackers also use SSL certificates meant to add credibility to the phishing pages. Out of all certificates used in this campaign so far, only six of them are still valid, suggesting that these attacks may still be ongoing.

“SSL certificates used by the phishing infrastructure had two main ranges of validity: May 5, 2019 to August 3, 2019, and June 5, 2019 to September 3, 2019,” the researchers said.

The research team hasn't been able to attribute the campaign to any particular group or country. As for the motive of this attack, its goal is to compromise Okta and Microsoft credentials to gain access to these accounts, which could be used for further attacks or intelligence gathering, the researchers said.

The full list of the targeted organizations, including the URLs and other IoCs is available at the end of Lookout’s report.

Back to the list

Latest Posts

New group of hackers targets businesses with backdoor malware in financially-motivated attacks

New group of hackers targets businesses with backdoor malware in financially-motivated attacks

The TA2101 gang used malicious emails to infect organizations in Germany, Italy, and the United States with backdoor, banking Trojan, or ransomware malware.
15 November 2019
APT33 hackers set up their own VPN network to thwart tracking

APT33 hackers set up their own VPN network to thwart tracking

APT33 used its private VPN network for reconnaissance of networks that are relevant to the supply chain of the oil industry.
14 November 2019
New unusual ransomware is hunting for enterprise servers

New unusual ransomware is hunting for enterprise servers

New PureLocker ransomware seems to have links to the malware provider used by Cobalt and FIN6 hacking groups.
13 November 2019
Featured vulnerabilities
Debian update for postgresql-common
Low Patched | 15 Nov, 2019
Cross-site scripting in Pimcore
Low Patched | 15 Nov, 2019
Multiple vulnerabilities in Pimcore
Medium Patched | 15 Nov, 2019